Gladiator Security Forum > Cant get rid of these entries

Full Version: Cant get rid of these entries

Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?

narfette

Jun 13 2006, 01:38 PM

My parents computer is really slow and i got rid of a whole load of stuff via adaware and spy and destroy.
there were a few entries that couldnt be deleted on the first run, neither on the restart scan.

if anyone can help out with this log i would be super grateful

thanks
|Sam

Logfile of HijackThis v1.99.1
Scan saved at 2:38:48 PM, on 6/13/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\services.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 11\MiniMavis.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\steam.exe
C:\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Mavis Beacon Teaches Typing Deluxe 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 11\MiniMavis.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1ED74676-734E-40C7-B684-749E8B972B13}: NameServer = 80.225.248.50 80.225.248.58
O17 - HKLM\System\CS1\Services\Tcpip\..\{1ED74676-734E-40C7-B684-749E8B972B13}: NameServer = 80.225.248.50 80.225.248.58
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: Control Panel - C:\WINNT\system32\tufflt.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q09NUEFR\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINNT\services.exe

LoPhatPhuud

Jun 13 2006, 08:22 PM

First:
Please download Look2Me-Destroyer.exe to your desktop.

Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Second:
Please download, install, and update the free version of Ewido Security Suite:
http://www.ewido.net/en/download/

[1]From the main ewido screen, click on update in the left menu, then click the Start update button.

[2]After the update finishes (the status bar at the bottom will display "Update successful")

Close the program after updating (don't scan with it yet, we'll do that in SAFE MODE)

Copy the following instructions to have handy as you will need to be offline, in SAFE MODE and with IE closed so you will not be able to view this page during the process.

Reboot your PC into SAFE MODE

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Next, run a scan with Ewido.

[3]Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so please be patient

[4]If Ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

[5]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Copy and paste the results from that scan back here please for review :)

*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update Ewido using the *update* button :)

Last:
Run HiJackThis again and post a new log in this thread.

narfette

Jul 2 2006, 02:34 PM

Hi, thanks loads for you help.

Hijack this:-
Logfile of HijackThis v1.99.1
Scan saved at 3:28:48 PM, on 7/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Q09NUEFR\command.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\services.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\dfndrb_3.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 11\MiniMavis.exe
C:\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmb_3.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdb_3.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [defender] C:\\dfndrb_3.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Mavis Beacon Teaches Typing Deluxe 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 11\MiniMavis.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{1ED74676-734E-40C7-B684-749E8B972B13}: NameServer = 195.92.195.95 195.92.195.94
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: Controls Folder - C:\WINNT\system32\k062lajo1doc.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q09NUEFR\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINNT\services.exe

******************

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 7/01/2006 9:48:04 PM

Infected! C:\WINNT\system32\fpj8031ue.dll
Infected! C:\WINNT\system32\cStsrv.dll
Infected! C:\WINNT\system32\fp6603jse.dll
Infected! C:\WINNT\system32\fpj8031ue.dll
Infected! C:\WINNT\system32\iffosoft.dll
Infected! C:\WINNT\system32\mfiqtz32.dll
Infected! C:\WINNT\system32\mfl_mtf.dll
Infected! C:\WINNT\system32\mprle32.dll
Infected! C:\WINNT\system32\n28o0cl3efq.dll
Infected! C:\WINNT\system32\nvl0293mg.dll
Infected! C:\WINNT\system32\onecli.dll
Infected! C:\WINNT\system32\oxfox32.dll
Infected! C:\WINNT\system32\r6r60g9se6.dll
Infected! C:\WINNT\system32\wmcsapi.dll

Attempting to delete infected files...

Attempting to delete: C:\WINNT\system32\fpj8031ue.dll
C:\WINNT\system32\fpj8031ue.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\cStsrv.dll
C:\WINNT\system32\cStsrv.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\fp6603jse.dll
C:\WINNT\system32\fp6603jse.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\fpj8031ue.dll
C:\WINNT\system32\fpj8031ue.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\iffosoft.dll
C:\WINNT\system32\iffosoft.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\mfiqtz32.dll
C:\WINNT\system32\mfiqtz32.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\mfl_mtf.dll
C:\WINNT\system32\mfl_mtf.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\mprle32.dll
C:\WINNT\system32\mprle32.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\n28o0cl3efq.dll
C:\WINNT\system32\n28o0cl3efq.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\nvl0293mg.dll
C:\WINNT\system32\nvl0293mg.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\onecli.dll
C:\WINNT\system32\onecli.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\oxfox32.dll
C:\WINNT\system32\oxfox32.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\r6r60g9se6.dll
C:\WINNT\system32\r6r60g9se6.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\wmcsapi.dll
C:\WINNT\system32\wmcsapi.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4E22BEF5-CBCF-494A-94F8-7822BFC36705}"
HKCR\Clsid\{4E22BEF5-CBCF-494A-94F8-7822BFC36705}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D3A6B847-F070-4C7F-8E23-1DABBEBFEE63}"
HKCR\Clsid\{D3A6B847-F070-4C7F-8E23-1DABBEBFEE63}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BC45FE22-2FF5-4A5D-807E-970901FA3F86}"
HKCR\Clsid\{BC45FE22-2FF5-4A5D-807E-970901FA3F86}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E4F46215-E1AB-49A7-9EEE-F0CC828A8813}"
HKCR\Clsid\{E4F46215-E1AB-49A7-9EEE-F0CC828A8813}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CCE34DDD-877C-422C-B90E-7F2C6D97E5EB}"
HKCR\Clsid\{CCE34DDD-877C-422C-B90E-7F2C6D97E5EB}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

************************
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:27:23 PM 7/2/2006

+ Scan result:

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\MLEF07G9\!update-3920[1].0000 -> Adware.ClickSpring : No action taken.
C:\Documents and Settings\COMPAQ\Local Settings\Temp\temp.frB606 -> Adware.CommAd : No action taken.
C:\WINNT\Q09NUEFR\asappsrv.dll -> Adware.CommAd : No action taken.
C:\WINNT\Q09NUEFR\command.exe -> Adware.CommAd : No action taken.
[1072] C:\WINNT\Q09NUEFR\asappsrv.dll -> Adware.CommAd : No action taken.
[1216] C:\WINNT\Q09NUEFR\asappsrv.dll -> Adware.CommAd : No action taken.
[1544] C:\WINNT\Q09NUEFR\asappsrv.dll -> Adware.CommAd : No action taken.
[1600] C:\WINNT\Q09NUEFR\asappsrv.dll -> Adware.CommAd : No action taken.
[1640] C:\WINNT\Q09NUEFR\asappsrv.dll -> Adware.CommAd : No action taken.
[1652] C:\WINNT\Q09NUEFR\asappsrv.dll -> Adware.CommAd : No action taken.
[1672] C:\WINNT\Q09NUEFR\asappsrv.dll -> Adware.CommAd : No action taken.
[1756] C:\WINNT\Q09NUEFR\asappsrv.dll -> Adware.CommAd : No action taken.
[1760] C:\WINNT\Q09NUEFR\asappsrv.dll -> Adware.CommAd : No action taken.
[1784] C:\WINNT\Q09NUEFR\asappsrv.dll -> Adware.CommAd : No action taken.
[1792] C:\WINNT\Q09NUEFR\asappsrv.dll -> Adware.CommAd : No action taken.
[692] C:\WINNT\Q09NUEFR\asappsrv.dll -> Adware.CommAd : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\DKDUC1MA\Installer[1].exe -> Adware.Look2Me : No action taken.
C:\Installer.exe -> Adware.Look2Me : No action taken.
C:\WINNT\system32\CLYPTUI.DLL -> Adware.Look2Me : No action taken.
C:\WINNT\system32\PXBASE.DLL -> Adware.Look2Me : No action taken.
C:\WINNT\system32\f02mlaf11d2.dll -> Adware.Look2Me : No action taken.
C:\WINNT\system32\ktl4l73q1.dll -> Adware.Look2Me : No action taken.
C:\WINNT\system32\mhxoci.dll -> Adware.Look2Me : No action taken.
C:\WINNT\system32\s4pu0e79eh.dll -> Adware.Look2Me : No action taken.
C:\WINNT\system32\ssi.dll -> Adware.Look2Me : No action taken.
C:\WINNT\system32\syrobj.dll -> Adware.Look2Me : No action taken.
C:\WINNT\system32\uup10.dll -> Adware.Look2Me : No action taken.
C:\warebundle.exe -> Adware.Look2Me : No action taken.
C:\warebundle2.exe -> Adware.Look2Me : No action taken.
C:\warebundlenew.exe -> Adware.Look2Me : No action taken.
C:\windows\warebundle.exe -> Adware.Look2Me : No action taken.
C:\WINNT\system32\arpa.dll -> Adware.PurityScan : No action taken.
C:\Program Files\SurfSideKick 3 -> Adware.SurfSide : No action taken.
C:\Program Files\SurfSideKick 3\Ssk.exe -> Adware.SurfSide : No action taken.
C:\Program Files\SurfSideKick 3\SskBho.dll -> Adware.SurfSide : No action taken.
C:\Program Files\SurfSideKick 3\SskCore.dll -> Adware.SurfSide : No action taken.
C:\WINNT\Temp\i26.tmp -> Adware.SurfSide : No action taken.
C:\WINNT\Temp\i38.tmp -> Adware.SurfSide : No action taken.
C:\WINNT\Temp\iD.tmp -> Adware.SurfSide : No action taken.
C:\WINNT\Temp\zg22.tmp -> Adware.Surfside : No action taken.
C:\WINNT\system32\repairs303169590.dll -> Adware.SurfSide : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Adware.SurfSide : No action taken.
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : No action taken.
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : No action taken.
HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : No action taken.
HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : No action taken.
HKU\S-1-5-21-329068152-261478967-725345543-1000\Software\SurfSideKick3 -> Adware.SurfSide : No action taken.
HKU\S-1-5-21-329068152-261478967-725345543-1000\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : No action taken.
C:\Documents and Settings\COMPAQ\Local Settings\Temp\temp.frC6BC\Programs\webhdll.dll_tobedeleted -> Adware.WebHancer : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WTUJ4XEV\c1[1].exe -> Backdoor.SdBot.ass : No action taken.
C:\WINNT\services.exe -> Backdoor.SdBot.ass : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\MLEF07G9\kybrdb_3[1].exe -> Backdoor.VB.ary : No action taken.
C:\kybrdb_3.exe -> Backdoor.VB.ary : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WTUJ4XEV\defender25[1].exe -> Downloader.Adload.bx : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\MLEF07G9\de[1].exe -> Downloader.Adload.cd : No action taken.
C:\steam.exe -> Downloader.Adload.cd : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IK3VXS3F\drsmartload849a[1].exe -> Downloader.Adload.ck : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\MLEF07G9\drsmartload45a[1].exe -> Downloader.Adload.ck : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\MLEF07G9\drsmartload46a[1].exe -> Downloader.Adload.ck : No action taken.
C:\drsmartload45s.exe -> Downloader.Adload.ck : No action taken.
C:\drsmartload46s.exe -> Downloader.Adload.ck : No action taken.
C:\drsmartload849s.exe -> Downloader.Adload.ck : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IK3VXS3F\nwnmb_3[1].exe -> Downloader.Adload.cm : No action taken.
C:\nwnmb_3.exe -> Downloader.Adload.cm : No action taken.
C:\Program Files\Common Files\svchostsys\svchostsys.exe -> Downloader.Small : No action taken.
C:\Program Files\Common Files\svchostsys\svchostupdate.exe -> Downloader.Small : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\MLEF07G9\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : No action taken.
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : No action taken.
C:\MTE3NDI6ODoxNgnew.exe -> Downloader.Small.buy : No action taken.
C:\windows\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : No action taken.
C:\Program Files\microsoft frontpage\mecolobuq.dll -> Downloader.Small.ctp : No action taken.
C:\Documents and Settings\COMPAQ\Local Settings\Temp\temp.fr17B7 -> Downloader.TSUpdate.n : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\MLEF07G9\stub_113_4_0_4_0[1].exe -> Downloader.TSUpdate.o : No action taken.
C:\stub_113_4_0_4_0.exe -> Downloader.TSUpdate.o : No action taken.
C:\stub_113_4_0_4_0new.exe -> Downloader.TSUpdate.o : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WTUJ4XEV\newname25[1].exe -> Downloader.VB.abm : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\DKDUC1MA\dfndrb_3[1].exe -> Downloader.VB.afv : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IK3VXS3F\dfndrc_2[1].exe -> Downloader.VB.afv : No action taken.
C:\dfndrb_3.exe -> Downloader.VB.afv : No action taken.
C:\dfndrc_2.exe -> Downloader.VB.afv : No action taken.
[1740] C:\dfndrb_3.exe -> Downloader.VB.afv : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\DKDUC1MA\kybrdc_2[1].exe -> Downloader.VB.agi : No action taken.
C:\kybrdc_2.exe -> Downloader.VB.agi : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\MLEF07G9\drsmartload[1].exe -> Downloader.VB.agk : No action taken.
C:\drsmartload1.exe -> Downloader.VB.agk : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\MLEF07G9\SS1001[1].exe -> Dropper.Small.qn : No action taken.
C:\SS1001.exe -> Dropper.Small.qn : No action taken.
C:\SS1001new.exe -> Dropper.Small.qn : No action taken.
C:\Program Files\Snowball Wars\SnowballWars.exe -> Dropper.VB.mz : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WTUJ4XEV\keyboard25[1].exe -> Hijacker.StartPage.aju : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WTUJ4XEV\nwnmb_2[1].exe -> Hijacker.VB.fc : No action taken.
C:\nwnmb_2.exe -> Hijacker.VB.fc : No action taken.
C:\WINNT\Temp\ICD1.tmp\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@thomascook.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@bluestreak[1].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@e-2dj6wfkiahazggo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@e-2dj6wfkyojd5maq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@e-2dj6wfliknc5ahp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@e-2dj6wflokndjmbq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@e-2dj6wfmyejcpmlp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@as-eu.falkag[2].txt -> TrackingCookie.Falkag : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@ehg-pcsecurityshield.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@kmpads[2].txt -> TrackingCookie.Kmpads : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@revenue[1].txt -> TrackingCookie.Revenue : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : No action taken.
C:\Documents and Settings\Default User\Cookies\system@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@h.starware[1].txt -> TrackingCookie.Starware : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@www.starware[1].txt -> TrackingCookie.Starware : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@media.top-banners[1].txt -> TrackingCookie.Top-banners : No action taken.
C:\Documents and Settings\Default User\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\COMPAQ\Cookies\compaq@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
C:\Program Files\Common Files\simtest\sysstall.exe -> Trojan.Zapchast.bl : No action taken.

::Report end

|Sam

narfette

Jul 2 2006, 05:49 PM

i just noticed theres not really a firewall on this computer, so i put zonealarm on.
when i next connected, it said it was blocking 'project 1'

and although was connected will not open internet pages...
is this a dialer or something?

can anyone help?

thanks

LoPhatPhuud

Jul 2 2006, 10:10 PM

PLease do not make any software changes while we are working to clean your computer!!!! If necessay, remove Zone Alarm. You can re-install and deal with any issues form ZA, after we are finished.

Download the latest version of Ewido.

http://www.ewido.net/en/download/

Install it and reboot your computer.

Open Ewido.

1. Click the Update Now line.
2. After the update is completed click the "Scanner" button on the top line.
3. Click the "Complete System Scan" line to begin the scan.
4. When the scan is complete, click the "Save Report" button to save the report.
5. Click the "Scanner" button on the top to return to the results.
6. Click the "Set All Elements to" Recommended Action.
7. Click the "Apply all actions" button.
8. Click on the "Reports" Icon at the top.
9. Click on the report that was generated today to see the results on the right side.
10. Highlight the results on the right side and copy and paste them into your reply.

11. Run HiJackThis again, and post a new log in this thread.

narfette

Jul 4 2006, 03:50 PM

ive decided to load on windows xp to this machine, as its so slow and i figured with all the spyware and such it might be easier to just wipe the whole thing and start again.

Am i right in thinking, formatting the hard drive and loading on XP will get rid of all the bad stuff?

Also, is zonealarm an ok firwall to install, its zonealarm suite.

thanks for your help

LoPhatPhuud

Jul 4 2006, 10:17 PM

ZoneAlarm is an excellent firewall. If you install the whole suite, make sure you only have one AntiVirus providing real tiome protection.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.